rswildy Posted February 9, 2010 Share Posted February 9, 2010 Can you check these 2 functions i wrote up and tell me anything i should change or is not needed. Also explain anything that needs adding to it.I need suggestions, I'm creating a script that is not vulnerable to SQL attacks and my framework is going to be open source. /* * Encode the value to stop SQL * injection. */ function mysql_encode ($value) { $value = trim($value); $value = nl2br($value); $value = htmlentities($value, ENT_QUOTES); if ($value == null) { $value = 'NULL'; } if (is_bool($value)) { $value = $value ? 1 : 0; } if (is_numeric($value)) { intval($value); } if (get_magic_quotes_gpc()) { $value = stripslashes($value); } if (!is_numeric($value)) { mysql_real_escape_string($value); } $value = addcslashes($value, '%_'); return $value; } /* * decode the value from SQL */ function mysql_decode ($value) { $value = html_entity_decode($value, ENT_QUOTES); if ($value == 'NULL') { $value = ''; } $value = stripslashes($value); return $value; } Link to comment Share on other sites More sharing options...
justsomeguy Posted February 10, 2010 Share Posted February 10, 2010 You might be taking too many liberties with the data. An escape function really only needs to add slashes before quotes, that's really the only thing that can screw up a query (assuming string data). I'm not sure I would want my escape function to also use trim, nl2br, and htmlentities. If I wanted those operations done on the data I would do them myself. What if you have a string of binary data, are you going to want to add a <br /> tag after each 0x20 byte and then convert everything to HTML entities? You need to ask yourself why you're using the things you are. Why use htmlentities, what problem is using that function supposed to solve, how does it solve the problem, and are there any side effects?Also, all numeric values are not necessarily integers. Floats, hex, and scientific notation are examples which will pass is_numeric but are not integers. Link to comment Share on other sites More sharing options...
rswildy Posted February 10, 2010 Author Share Posted February 10, 2010 Ok thanks Link to comment Share on other sites More sharing options...
boen_robot Posted February 10, 2010 Share Posted February 10, 2010 Also, as your code notes, you have the built in function mysql_real_escape_string(). This is the only function that you really need. It will do everything that that has to be done with the data, so that if it gets places into an SQL query, it doesn't cause an SQL injection. However, in your current code, you aren't doing anything with the returned (escaped) string.The way a query should look at the final is like (for example): $conn = mysql_connect('localhost', 'root', '');$query = 'SELECT * FROM users WHERE name = ' . mysql_real_escape_string($conn, $_POST['username']) . ' AND password = ' . mysql_real_escape_string($conn, sha1($_POST['password'])); In other words, the mysql_encode() function you're trying to encode will pretty much be a replica of mysql_real_escape_string(). Link to comment Share on other sites More sharing options...
Synook Posted February 10, 2010 Share Posted February 10, 2010 Remember that PHP is dynamically typed with no type safety, so for all purposes 0, the integer, is much the same as 0.0, "0", or even false. Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.